Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008 On A Windows Xp Machine


  • Please log in to reply
15 replies to this topic

#1 maryn

maryn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 16 September 2008 - 03:53 PM

Hi all,

I'm new to this, so please bear with me. I have a machine that has been hit with the Antivirus XP 2008. Spent a good part of the day "cleaning house" etc. to get the machine back to working order.

I have managed to clear the bogus "splash screens" etc that get thrown out there with Antivirus XP, however I now have a problem with very slow performance and no ability to work with my printers at all. I keep getting an error popping up relating to the Data Execution Prevention. Wondering if/how I can get past this. I suspect that the Antivirus XP 2008 is the culprit.

Any help would be greatly appreciated.

Thanks,

Mary

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 16 September 2008 - 04:09 PM

Welcome to Bleeping maryn

So as not to duplicate efforts, what programs have you used to try to clean this infection?
Chewy

No. Try not. Do... or do not. There is no try.

#3 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 16 September 2008 - 04:12 PM

Ad Aware has been run - manual cleanup of the registry - ran the SmitFraudFix -

Love your Hair - by the Way LOL

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 16 September 2008 - 04:15 PM

Let's start from scratch then, we are using xp or vista I hope?

http://www.bleepingcomputer.com/forums/ind...st&p=946635

MBAM gets a good start on it
Chewy

No. Try not. Do... or do not. There is no try.

#5 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 16 September 2008 - 04:18 PM

Sorry, don't know what MBAM is - and it is XP, not Vista

#6 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 16 September 2008 - 04:20 PM

OOps, sorry but am getting called into a meeting I didn't know I would have to attend. I won't be able to stay on right now and work further til morning.

Maybe if you have a few moments, you can throw some ideas out there, and I'll give them a shot in the AM

Thanks in advance for your willingness to chat about this.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 16 September 2008 - 04:35 PM

Malwarebytes Anti-Malware

Follow the directions and post the log and we can go from there
Chewy

No. Try not. Do... or do not. There is no try.

#8 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 17 September 2008 - 11:12 AM

okay, I've had a chance to run MBAM on the pc - after running it the 3rd time, it ran clean without finding any issues. However, after I reboot I go back into windows\system\32 and continue to find a file put there that I have deleted. The file name is lphc1d3j0e35g, which I know to be part of the Antivirus XP junk.

My screensavers etc are all back to normal - however I am still having the Data Execution Protection error whenever I attempt to go into my Printers

What's next?

#9 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 17 September 2008 - 11:13 AM

Sorry, here's the log file you asked me to post -

Malwarebytes' Anti-Malware 1.28
Database version: 1163
Windows 5.1.2600 Service Pack 3

9/17/2008 9:06:27 AM
mbam-log-2008-09-17 (09-06-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 123740
Time elapsed: 48 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 9
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\lphc1d3j0e35g.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\blphc1d3j0e35g.scr (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\efcryp32.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc1d3j0e35g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhc5d3j0e35g (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Microsoft Common\wuauclt.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcryp32.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc1d3j0e35g.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc1d3j0e35g.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc1d3j0e35g.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\ckp\Local Settings\Temp\.ttC.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 17 September 2008 - 01:09 PM

Love your Hair - by the Way LOL


It's all turned grey and is falling out since I started trying to help out here

http://www.bleepingcomputer.com/forums/ind...st&p=932362

would you use this post to install atf cleaner and SAS and then run them from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#11 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 17 September 2008 - 04:10 PM

Okay, so here's the deal. I ran the SAS and after an hour or better, it found approx. 57 entries, which I quanantined. However, when I went back into retrieve the log file, there was no info in it.

But the pc (and the printing functionality) are currently all in working order. The only thing that continues to happen is that I get a pop-up window that references the Data Execution Protection not working. Before when I got that error, I had no printing function. So not sure what might happen over the next day or so, if something rears its ugly head again, but am crossing my fingers for the moment.

Any thoughts on the Data Execution Protection error? The research I've found on it doesn't say much at all.

At any rate, thank you very much for you help thus far - it's been an uphill battle as I'm sure you know all too well.

I'll keep you posted if things change.

Again, thanks.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 17 September 2008 - 04:18 PM

There's light at the end of the tunnel, but we aren't done

Update MBAM and run another quick scan and we'll take it from there
Chewy

No. Try not. Do... or do not. There is no try.

#13 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 18 September 2008 - 08:28 AM

Okay - here's the log file results from the quick scan using MBAM this morning

Malwarebytes' Anti-Malware 1.28
Database version: 1166
Windows 5.1.2600 Service Pack 3

9/18/2008 8:20:57 AM
mbam-log-2008-09-18 (08-20-46).txt

Scan type: Quick Scan
Objects scanned: 71386
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc1d3j0e35g (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc5d3j0e35g (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\blphc1d3j0e35g.scr (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\lphc1d3j0e35g.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\phc1d3j0e35g.bmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\.tt2.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Temp\.ttD.tmp (Trojan.Downloader) -> No action taken.

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:46 PM

Posted 18 September 2008 - 08:58 AM

Would you try atf cleaner and SAS again from safe mode, a quick scan of just C drive

This infection is a bad one

this post would apply to you also


http://www.bleepingcomputer.com/forums/ind...st&p=940502

I would reccomend a clean install, but we can continue to try to clean it up
Chewy

No. Try not. Do... or do not. There is no try.

#15 maryn

maryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:46 AM

Posted 19 September 2008 - 02:18 PM

Broke down, gave up the fight, re-installed the pc, and life is good. I sure hate having to give in, but time is money.

thanks again for all your help and support in this process. Have a great weekend!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users